IE Popups kill PC

Hello experts,
I am noticing a rash of infections on PCs whose users keep their
antivirus defs up to date and their Windows patches up to date. They're
cautious about what they download & install. Their PCs had been
functioning fine until a couple of weeks ago. Now I am hearing a
handful of stories of sudden infections. IE brings up to many popup
windows so fast that the PC eventually says "out of memory" and they
have to shut down. They've run SpyBot, AdAware, updated their antivirus
defs & done a full scan, all Windows patches are up to date, etc. The
things that SB finds are successfully immunized. Some have even gone
out and purchased WebRoot Spy Sweeper and still the popups continue at
a rapid pace. Any ideas as to what seems to be running around out there
infecting seemingly "protected" PCs? An attempt at repairing XP gave
many errors on not being able to access one file or another. Any idea
how to eradicate it without having to wipe & reinstall XP?
Thank you for any advice/wisdom!!
CBru

Popular White Paper On This Topic

Just a thought but I have repaired several machines in the last week by
restoring them from a previous day. I have luck with PC's that I have repaired by
then teaching them to create a restore point weekly and then when there are
problems like you say , I have restored the problems are removed. may not work
for you but did for me. Also....back up back up back up.If you have cd or dvd
burner. besides music,you can back up system. Xp has a very nice backup utility
that will back up ENTIRE system from which it will create boot disks etc. and
then you can restore the whole thing programs and all.I have had very good
with that to from my repair customers. You have to maintain backups just like
you would turn up a car. Another way to go is to get a second hardrive and then
you can back up to it or use GHOST to create image from which you can restore.
Once you take some time to set it up then its really easy to then recover
from spyware etc.
good luck
david

Hi, have you tried booting into safe mode and running the spyware and virus
software from there.
Also try disconnecting from the net and internet before booting into safe
mode to try and Isolate the PC.

You might also want to try using PestPatrol, TDS-3 or Trojan Hunter.

TDS-3 is for experienced users; with lots of settings and highly
configurable.

Trojan Hunter is user friendly and almost as powerful as TDS-3.

PestPatrol his an holistic Program dealing with Trojans, Spyware, Adware and
generally nasty little bugs you may not find with any other program.

Get hold of these and run them on the system, and they should find and
eliminate your bugs.

I would say to remove all temp files, temp internet files, and cookies,
Run spy bot and ad aware again. Also this link will take you to a list of
Trojan and spybot that are harmful. Go into your task manager and check each
.exe against this list. It has worked wonders for me

Hello,
Have you tried CW Shedder yet? Adaware6 and Spybot couldn't take care of some of the problems on one of the computers I was working on. CW Shedder should take care of them if it is related to coolweb search. Here is the link to download from. Good Luck , Kurt http://www.net-integration.net/tools/hijackthis.html

Keep in mind that you should not run cwshredder on a system unless you have
confirmed that you have a cool.web.search trojan variant. This could create
more problems if you have a peper trojan or other exploit running that is
looking for the cwshredder application to be run. Use the hijackthis app to
document your system and work with someone experienced to determine what the
trojan is that is causing your problem.

CWShredder checks to see if there is a CWS trojan on the system. Only
if it finds one will it do anything, and then it will only affect that
trojan variant. Hijack This is a great tool but it is not necessary
to check a system with that first, any more than it is necessary to
check a system with it before running SpyBot or Adaware.

It is the trojans that will do bad things when you try to run CWShredder
that you need to worry about. This is why you really need an expert to look
at the hijackthis logs to determine which variants of the hundreds of
browser hijack exploits are in play on the machine to make sure that you do
not do more damage trying to remove them.

Also keep in mind that many of the newer CWS variants that have appeared in
the last month cannot be completely removed from a system using CWShredder
anymore. Variants have gotten so potent that Merijn (author of hijackthis
and cwshredder) has given up updating the tool any further. Current CWS and
other trojans are getting too potent to be removed with an automated tool.

Hi everyone,
First I want to say Thank You! for all the advice and great info.
I want to post some follow up info and hope to also post a final
solution (if there is one). I have since done a ton of reading and it
seems nearly impossible to keep ahead of the nasties out there. And
there are so many 'solutions', how does one go about choosing the
correct one?
Running SpyBot found the common ones: Alexa, AvenueA, HitBox,
MediaPlex, WebTrends.
WebRoot Spy Sweeper only found a few of the same. NAV found nothing.
Messenger was already disabled.
While doing additional research, we suspected one of the PCs was
infected with HuntBar based on the symptoms, but a search for msiets.dll
found nothing.
One of the PCs will act seemingly fine until we try to download patches
from Microsoft, then the popup windows start flying up. They are all
titled "Internet Explorer" and they start adding themselves to the Start
bar.
One of the guys got so frustrated that he backed up his data and
reloaded XP before we had a chance to do any investigating.
Will installing a LinkSys firewall/router help to prevent any of this in
the future?
I hope to post additional info on what works and what doesn't.
Thanks again,
CBru

Spybot and Adaware is not enough to deter spyware/pops up and hidden
ActiveX/Java scripts malmare or spy software. I've done this on my Windows
XP Pro and Win2k machine and they don't work. On my XP Pro machine i can't
start Spybot or Adaware anymore. When i double clicked on it, the program
seems to load but then it never does. The ONLY TIME it will load is under
SAFE MODE. NAV can't detect any virus activities even though i have the most
recent updates. Now, i'm seeing pops up appearing on my desktop, and my
browser default page in IE is switched to another site. Although it said
"BLANK" in the web browser address. The DLL file was modified by some sort
of spyware.

In all, i'm tire of these spywares. I will format and do a clean install of
XP and Win2k. This seems to me the only possible way of getting rid of it.
Unless, the spywares spread onto other partitions. Regardless, clean install
of the OS is the only possible way. IN ADDITION, i will turn on my IE
security settings to MAXIMUM and disabled all ACTIVEX/JAVA Script. This
seems to fix the problem before but then i enabled it because some sites
wouldn't allow me to browse it unless i enable cookies.

Also, when i shut down my Winxp Pro PC it said someone is connected/logged
on to the machine. It asks me if i want to shutdown. I have IIS installed,
but ftp and HTTP service both are stopped. No one else have logged on. SO am
i being hacked? I doubted since i'm on a wireless network, behind a router,
and set my security to maximum.

A number of trojan variants are now halting Adaware and spybot from running
on a machine. Lavasoft has released a cloak program for adaware that will
disguise it's signature and allow it to run. Lavasoft makes it available
here:

Jeem, your 2 cents is right on the money. I am in the same boat, as my job requires me to fix IE/Windows problems. however I don't use IE unless I need to (and there are sites that require IE). On my personal computers I use Slackware and Debian Linux and I love not having to deal with all the trash that comes along with running Windows. I'm not nocking Windows or Microsoft for that matter, It's just that for surfing the net (doing research) and doing the basics that I do with an office suite, you can't beat the price or the privacy that I get with Linux.

When I do use XP (at work) I use Mozilla Firefox. And I have yet to get burned (but I'm sure I will eventually).

One last note, I've been using SP2 RC2 for the last three weeks. IE has built in popup blocking (finally) and I must say that the overall experience with the new IE is much better. Though they still don't have tabbed browsing.

The main difference that I have seen in Firefox is the ability to use some Microsoft products like Microsoft Outlook. I couldn't send a page in Outlook while running the other versions of Mozilla. In Firefox you can and it really looks a lot like IE6. Don't know about any other differences off the cuff.

>The main difference that I have seen in Firefox is the ability to use some Microsoft products like Microsoft Outlook. I couldn't send a page in Outlook while running the other versions of Mozilla. In Firefox you can and it really looks a lot like IE6. Don't know about any other differences off the cuff.
>
>Thanks,
>Rex
>

I think firefox is very customizable, e.g. you can make it look pretty, it's
also a lite version of Mozilla, it doesn't have email facilities, but you
can download thunderbird to add email support. It also has a few security
updates. Unless you like tweaking I'd stick with mozilla. I also like
Maxthon (formally MyIE2)

There are some really nasty trojans running around out there right now that
take advantage of a number of holes and bugs in Internet Explorer for which
no patches exist. Things such as the Cool.Web.Search series of trojans is
spawning dozens of variants each week that are getting harder and harder to
eliminate without a complete format and rebuild. These are browser
hijackers and can do some terrible things. I would suggest starting with a
system mapping tool such has Hijackthis.

Which will give you a long list of registry and file details on the infected
system. Then I would find a website that offers forums with security
experts that can look at those details and help you to determine the browser
hijack trojan(s) that are in play on the machine and direct you to resources
and tools to help clean them out (if it is possible).

These things are getting trickier by the day, and sometimes using methods
that would clean out an old variant may cause a newer to get a lot worse.
New versions are also know to attack and explode anti-virus and anti-spyware
tools, so you do need to be careful. Good luck!

Have you turned off the messenger service. This not to be confused with windows messenger, but is a service that can be disabled. Its purpose is to allow alert messages to be received and is commonly used to send pop-ups. Hope this helps.

Linksys or any other brand of router/firewall will not have any effect on
these browser hijacks. It takes application layer intrusion prevention
systems to perform the inspection required to catch these things.

As far as troubleshooting is concerned, it shouldn't have to be trial and
error of using tools. In fact some trial and error could make your problems
worse as there are variants that look for you to run the wrong tool and then
use code escalation to run other processes in place of the tool you were
trying to run. This is why I usually ask people to post their hijackthis
logs. Those of us experienced in looking at the entries that Hijackthis
retrieves can usually identify the specific trojan and variant that is
involved and point you to the specific tools and processes that will clean
it out.

># Looking to the Future: Standardized Certifications
># Read Paper: http://windows.ITtoolbox.com/r/hdr.asp?r=28992>
># View Group Archive: http://ITtoolbox.com/hrd.asp?i=955>
>Spybot and Adaware is not enough to deter spyware/pops up and hidden
>ActiveX/Java scripts malmare or spy software. I've done this on my Windows
>XP Pro and Win2k machine and they don't work. On my XP Pro machine i can't
>start Spybot or Adaware anymore. When i double clicked on it, the program
>seems to load but then it never does. The ONLY TIME it will load is under
>SAFE MODE. NAV can't detect any virus activities even though i have the most
>recent updates. Now, i'm seeing pops up appearing on my desktop, and my
>browser default page in IE is switched to another site. Although it said
>"BLANK" in the web browser address. The DLL file was modified by some sort
>of spyware.
>
>In all, i'm tire of these spywares. I will format and do a clean install of
>XP and Win2k. This seems to me the only possible way of getting rid of it.
>Unless, the spywares spread onto other partitions. Regardless, clean install
>of the OS is the only possible way. IN ADDITION, i will turn on my IE
>security settings to MAXIMUM and disabled all ACTIVEX/JAVA Script. This
>seems to fix the problem before but then i enabled it because some sites
>wouldn't allow me to browse it unless i enable cookies.
>
>Also, when i shut down my Winxp Pro PC it said someone is connected/logged
>on to the machine. It asks me if i want to shutdown. I have IIS installed,
>but ftp and HTTP service both are stopped. No one else have logged on. SO am
>i being hacked? I doubted since i'm on a wireless network, behind a router,
>and set my security to maximum.
>
>Best of luck!
>Tony Tran
>
>
>
Why even use Internet Explorer?
I realize that that isn't saying much but it seems it would resolve most
peoples problems.
The only reason I have to troubleshoot IE problems is because it is my job.
As soon as I figure out how to get rid of the latest maleware another
one shows up.
First it was CWShreader now it's Wintools.
There is no end to all this.
IE was made for a friendly world and it is a great browser for
functionality reasons but of course we don't live in a friendly world.
2 cents
Jeem

Hi sent one mail but found a sticky on another F***m (Be nice to me on this
one Moderators) I feel it's a worth while post so I have copied it and
pasted it here, with credit going to JasonQG who wrote this sticky.

Quote:

I've been meaning to do this for a while, so without further ado, here are
some Mozilla Tips, Tricks, and Info. For newbies and experts alike:

Mozilla (Seamonkey suite) vs. Mozilla Firefox
The Mozilla suite is the project with the codename Seamonkey. As of now, it
is the main branch of the Mozilla.org project, and is the codebase for other
projects, such as Netscape. Besides being a browser, it is also a mail
application, an IRC client, and an HTML editor. In the future, the Mozilla
project will switch to a new browser codenamed Mozilla Firefox (formerly
Firebird and Phoenix). There will also be a standalone mail application
(Mozilla Thunderbird), and the other apps from the Mozilla suite will come
later as well.

So which one should you use now? Mozilla Firefox has a lot of advantages
over Seamonkey. It's smaller, sleeker, more intuitive, and quicker. I would
recommend it exclusively, except for the fact that it's still beta software.
Though it's not going to screw anything up and damage your computer in any
way, it can be a bit of a pain sometimes. Most notably, you usually have to
erase your profile and start over with each release. For this reason, I
stick with the bulkier Mozilla, but if you're willing to put up with it,
Mozilla Firefox is probably worth it.

For the sake of this post, I will generically refer to the browser as
"Mozilla," but these tricks will mostly work for Mozilla Firefox, as well.

Importing IE bookmarks
I think Mozilla should do this automatically, but if it doesn't or you want
to do it again, it's an easy enough process.
In MSIE, go to File > Import and Export...
Next > Export Favorites (Next) > Choose your favorites folder (Next) >
Export to a File (Browse to save it where you want it) > Finish.
In Mozilla, go to Bookmarks > Manage Bookmarks...
In the Manage Bookmarks window, go to Tools > Import ... > Choose the file
you just exported from MSIE.
Choose Open and you are done.
Mouse Gestures
Mouse gestures allow you to quickly do common tasks like go back and forward
with a flick of the wrist. Opera users should be familiar with this
incredibly handy feature. I set mine to work on the right mouse button, and
I turn on the mouse trails support (settings found in edit -> preferences ->
advanced -> mouse gestures) to add support for this in Mozilla, go here:
http://optimoz.mozdev.org/Once installed, check out this page to see all the cool mouse gestures you
can use:
http://optimoz.mozdev.org/gestures/defaultmappings .htmlgestures/defaultmappings.html
You'll get so hooked on this that you'll be doing it in other programs out
of habit.

Popup blocking
Enabled by default in Mozilla Firefox, you must enable this manually in the
Mozilla suite. Edit -> preferences - > privacy & security -> popup windows.
Whenever a popup is blocked, it will be indicated by an icon at the bottom
of the window. If you click this icon, you can add the site to a whitelist
of allowed popup sites. So, if legitimate content is being blocked, you can
let it through. Or, if you want to let a great site like Rage3D make some
money, you can allow popups from here.

Basic Tabbed Browsing
Tabbed browsing is one of the best innovations to come around in years.
Opera was the first mainstream browser to have tabs, but Mozilla was the
first to allow multiple tabs and multiple windows (this is what makes it a
killer feature for organizing dozens of open pages at once). To start off,
go to "edit -> preferences -> navigator -> tabbed browsing" and check all
the options on, Now, when you want to open a bunch of links on a page, just
middle click each link and watch all the pages load in the background at
once. This will change your life.

Advanced Tabbed Browsing
Mozilla's tabs are pretty good to begin with, but they can get even better
by installing Tabbed Browser Extensions. With this, you can easily open
bookmarks in new tabs, rearrange your tabs, change the order tabs open,
group tabs, and much more. It'll take you hours to look through all the
preferences (edit -> preferences -> navigator -> tabbed browsing).
http://white.sakura.ne.jp/~piro/xul/_tabextensions .html.en(You can ignore the requests to install the Japanese language pack, if you
want)

Plugin Help
Most plugins work with Mozilla without doing anything, but if you have
trouble, there are solutions.

-Windows Media Player 9
Mozilla automatically detects the Media Player plugin, but unfortunately,
Microsoft doesn't want to let Mozilla users use Media Player 9. Luckily,
it's a short registry fix away. Just open regedit and navigate to
"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPl ayer\ShimInclusionList" Then,
just add a key for "MOZILLA.EXE" or "FIREFOX.EXE" if you use Mozilla
Firefox.

GetRight and other 3rd Party Download Managers
Unfortunately, there is no support yet for 3rd party applications to
interface with Mozilla. There is a bug filed on bugzilla. You can vote for
this bug, if it interests you.

Error Pages
Don't like that dialog box that pops up when a server is down? You can use
error pages similar to IE, though this feature is quite buggy. To enable it,
type "about:config" in the url bar. Add a new boolean value and title it
"browser.xul.error_pages.enabled" Set this to true, and enjoy your new error
pages. Change this to false to set it back if the bugginess bothers you.
Eventually, this will be the default setting.

Paint Delay
People often complain that Mozilla is slower than IE, but this is often just
a matter of perception. To make Mozilla seem faster, we can adjust the paint
delay. First, an explanation of what's going on: When Mozilla starts loading
a page; it waits 1200ms before it starts to render the page. This is because
it at first doesn't have enough information downloaded to accurately draw
the page, so it waits a little so it won't have to reflow as much. This
saves CPU power, and thusly can reduce the actual time required to render
the page. Unfortunately, this makes it seem slower, because you have to wait
a second before anything appears. With today's fast CPUs, it's not
unreasonable to spend the extra CPU cycles to make the browser seem faster
and allow you to start reading the page one second sooner. To do this, type
"about:config" in the url bar and add an integer string with the name
"nglayout.initialpaint.delay" and set it to zero. You can adjust this value
for anything you like.

Bookmark keywords
These can really save you a lot of time. Allow me to explain. As an example,
you might set one up for Google with the keyword "g." Now, say you want to
search for "monkey pants." Instead of loading up Google and typing in your
search query, you can just type "g monkey pants" in the url bar. You can set
these up for pretty much any web form online. Details about setting this up
can be found here:
http://www.mozilla.org/docs/end-user/keywords.html

Find As You Type
This is another one of those features that's so convenient you'll be trying
it in other programs out of habit. The first use of this is mouseless
navigation. Just start typing on a page, and matching links will be
highlighted. Hit enter, and never take your hands off the keyboard. You can
also use this to search through all text, not just links, by typing a slash
(/) before your search string. It may not sound like a big deal, but this
feature rocks.

alt text
You may notice that those little yellow help boxes don't appear when you
hover over images in Mozilla. The reason behind this is that alternate text
as implemented by IE and Netscape 4.x is technically incorrect. The ALT tag
is designed to be used as an alternate to an image for text-based browsing
or for blind people. Supplemental text to an image, as most web developers
use ALT, should be done with the TITLE tag. In an effort to convince more
web developers to use the HTML specs properly, Mozilla has opted to use the
ALT tag correctly. However, if you want to see the ALT popups like in IE,
check out this extension:
http://white.sakura.ne.jp/~piro/xul/_popupalt.html .en

Copyright 1998-2015 Ziff Davis, LLC (Toolbox.com). All rights reserved. All product names are trademarks of their respective companies. Toolbox.com is not
affiliated with or endorsed by any company listed at this site.